Image description: Anonymous person wearing a black hoodie holding a mobile device, with a city landscape in the background.

Protecting your privacy and identity online

Did you know that between 2014–15, an estimated 1.6 million Australians experienced personal fraud? That’s roughly 8.5% of the population! In this article, we dig a little deeper into identity theft, information privacy, and how you can reduce your risk.

Watch episode 1 of our BE SAFE Security Series: Privacy & Phishing

First and foremost, what is ‘identity theft’?

Identity theft is when an individual’s personal or financial information has been obtained to assume their identity and commit fraudulent acts (usually for financial gain).

While it may not take a lot of information, a talented cybercriminal can piece together an image of their target from just social media accounts and personal data left viewable in public forums. Some basic details and a good photo is all a criminal would need to start forging fake identity documents, which would be used to apply for loans and services under your name.

Would you know if your identity had been stolen?

You can never be sure if your information has been obtained illegally, but here are some warning signs that you’ve fallen victim to identity theft:

• Unaccounted withdrawals and purchases on your bank statements.
• You no longer receive certain pieces of mail, i.e. bank statements and bills.
• Receiving invoices or receipts for items that you haven’t purchased.

Think you’ve been a victim of identity theft?

If you suspect your identity has been used fraudulently, there are some steps you can take:

• If there are questionable transactions on your bank statement, reach out to your bank immediately to stop and/or investigate the transaction(s).
• Irregular usage of your internet or questionable activity on your phone bill? Contact your service providers and let them know.
• Search the ‘Help’ section of your social media account to either report fraudulent activity on your account, or get advice on how to change your account settings.
• Lodge a report with the Australian Cyber Security Centre’s ReportCyber (previously ACORN).
• Update your passwords if you feel they’ve been compromised, and ensure they’re strong.
• Obtain a credit report from a reputable credit reference bureau to see if you’ve been affected by fraudulent activity.
• Reach out to IDCare for personalised support.

Ways a cybercriminal can obtain someone’s personal information

There are some incredibly devious ways a criminal can obtain your personal information directly from you, including: impersonating a staff member from a bank or utility provider via email, fraudulent phone calls, and even face-to-face contact as a door to door salesperson.

Personal information can also be gleaned from documents and devices that have been discarded or lost such as unshredded bank statements, misplaced mobile phones and laptops, and login data from unsecure computers in an internet cafe.

Image description: statistical information — Identity crime costs Australia an estimated $1.6 billion dollars each year, with the major causes being credit card fraud, scams, and identity theft. *Source: https://www.cyber.gov.au/threats/identity-theft

Recognising a potential scam

We’ve listed a few of the more common information-gathering techniques below, and how you can combat them:

One Phish, Two Phish, Red Phish, Blue Phish

Phishing is when a cybercriminal obtains information by pretending to be a ‘trustworthy’ company — it’s one of the oldest forms of cybercrime and identity theft. While more commonly performed via email, phishing scams have moved into the realms of instant messaging and SMS texts. If you’ve received a message that asks you to provide sensitive information, click links, or perform other actions, it’s best to do a few checks to make sure the email is legitimate:

• The sender’s address: Check that the sender’s details are similar to the signatory of the message (the name at the bottom) and that the domain name matches the company. If you’re suspicious about the sender’s legitimacy, don’t send back a response. You can always search for the official contact number of the organisation and confirm that they have a record of the communication sent to you. Never use the links or contact information supplied via email, instant messages, or text to contact the organisation.
• Check the content of the message: Is there broken English or grammatical errors? Is the company’s logo the wrong colour or pixelated? If a real company has the money to send you an email, then they’ve got the money to make sure the email is triple-checked for spelling and design (unless they’ve got a terrible marketing team!). Even the subject line is a good clue — did you actually order that package from DHL?

While the email itself can look legit, take some time to hover over (not click!) the links to see which website they’re linked to. Remember that you can always contact the organisation directly to verify that they have indeed sent you that specific communication. Even if none of your ‘suspicious flags’ are triggered — it might just be a great scam!

‘Over the phone’ Social Engineering

Received a phone call from an unknown number and became suspicious of the caller? While similar to phishing in many ways, ‘social engineering’ attacks use deception to manipulate individuals into divulging confidential information so that it may be used for fraudulent purposes. Typically, these attacks rely on a façade of authenticity, authority or fear-mongering to gain a person’s compliance, for example:

• “If you don’t pay your tax bill on time, you will go to prison!”
• “Hi, this is Kevin from your ISP — we’ve detected a problem with your internet connection. In order to maintain your service, I will need you to perform the following actions; Before I do so, I need to confirm your identity — what is your date of birth?”

If you’re ever in a situation where you doubt the validity of the caller:

• Don’t authenticate yourself by providing any information to the random caller. It might be your bank calling, or it might not, even if it seems they have information about you.
• Ask the caller for a reference number and tell them that you’ll call back at a more convenient time. Disregard any contact details they may offer (but write them down in case they need to be reported!).
• Search for the contact details of the organisation, contact them through the officially published mediums, and quote the reference number you were given — this will show if the original call was genuine.

If the caller gets angry or threatening, hang up and block the number. No company that wants your ongoing support or business will treat you this way.

Seen a missed called from a number you don’t recognise? Google is your friend!

Search the number online and see if it has been reported as safe or marked as a scam or suspicious number. Bear in mind that originating numbers can be regularly spoofed — the person on the end of that number may not be the person that called you.

Educating yourself and your family members on the different types of cybercriminal activities is the best line of defence. Keep your eyes open for anything that looks suspicious — a healthy bit of scepticism never goes astray!

Maintaining your privacy online

Social media accounts

Do you or your family members have social media accounts? A public account with little to no privacy adjustments can be a treasure trove of information for a cybercriminal, and you’d be surprised to see how much is visible to the general public!

Here are some helpful ways to ensure your information is safe from prying eyes:

• Check your privacy settings on every account you have on each social platform, and make sure your personal details (such as your birthday, hometown, email address, and phone number) are hidden from public view.
• Set your wall posts to ‘Private’ to ensure they’re only being seen and shared with people you know and trust.
• Be wary of ‘friend’ requests from strangers. If they’re not someone you know, or their account looks fake, delete the request and block/report the account.

Remember, the more personal information you share in a public domain, the greater the risk of identity theft. Consider the information that correlates across multiple websites too, i.e. personal details on Facebook, interests and check-ins on Instagram, employment and company details on LinkedIn — your name and/or contact details can link these accounts together:

An attacker may find your date of birth from Facebook, link to Instagram via your name/email and discover your address, and your current employment which can be cross-checked in your employment history published on LinkedIn. It is this type of information that may be used in a communication to create a façade of authenticity.

Online bank accounts and company databases

Received a suspicious text or email from your bank asking you to log into your online account and update your details? That’s a red flag! As part of ‘phishing’ and ‘social engineering’, it’s a well-known tactic for cybercriminals to impersonate an organisation and ask you to log in and update your account details via fraudulent emails and text messages.

If there really is a need for you to update your details with a company, make sure you’re logging into their official website and not following a link from a suspicious email or text.

The stronger the password, the stronger the security!

We all know they’re a pain in the proverbial posterior (especially when you forget them), but a strong password is essential in making it harder for someone else to gain access to your information. Here a few key things to remember:

• Use a mixture of uppercase, lowercase, numbers and special characters i.e !#$%^&*_- and ensure it’s at least 12 characters long.
• Make the password is unique to you, and not based on something like your birthdate or a pet’s name.
• Make sure you’ve used a different password for each service.
• Install a password manager app from a reputable company to make using secure passwords easier. This is the key in modern life — passwords are hard to remember!
• If available, turn on multi-factor authentication on any online account you have. Multi-factor secures your account with not only something you know (a password), but something you have (the ability to generate a unique token). It might be a little annoying, but the peace of mind is worth it.

Having said that, be cautious of using SMS or email as a second factor. Both are insecure protocols and can be forged or intercepted.

Viruses, malware and software bugs

Since the birth of the internet, users have been exposed to viruses, malicious software, and cybercriminals exploiting software bugs to gain access to their computers. Here’s what you can do to ensure your devices are secure:

• Set your computer, mobile phone and/or tablet to regularly download and install any available program updates and patches to avoid bugs and security breaches.
• Avoid ‘jailbreaking’ devices — even though it might allow you new freedom on your device, it does so by breaking the inherent security model of the device (making you more susceptible to compromise).
• Run anti-malware software to ensure your device is as safe and secure as possible. While anti-malware packages may miss new types of malware, they protect you against a long string of commoditised malware that’s been around for a long time (and is still used).
• Be careful when using Wi-Fi hotspots if you’re dealing with sensitive information, as the connection may not be secure. While the easiest choice is to simply not use open Wi-Fi hotspots, that might not always be practical. If you have absolutely no choice, set up a VPN and use that over the unsecured link.

If you’d like to learn more about protecting you and your family from identity theft, join our Privacy and Online Safety group on Facebook.